I have a search that finds the maximum number of events that occur in a single second on any given hour during the day using this
.. | bin _time span=1s | stats count by _time, name | bin _time span=1h | stats max(count) as mcount by _time, service | ...
this gives me a table of values that look like the following
Hour | Maximum
1 AM | 900
2 AM | 323
........ | .....
Instead I also want a third column which has the time that that event occurred as follows.
1 AM | 900 | September 1 2016, 12:34:06
2 AM | 323 | September 5 2016, 11:07:01
........ | .....
Any help would be appreciated.
... View more